b"U.S. Department of Agriculture\n Office of Inspector General\n       Midwest Region\n         Audit Report\n\n\n\n\n  CONTROLS OVER THE ACCESS,\n    DISCLOSURE, AND USE OF\n   SOCIAL SECURITY NUMBERS\n\n\n\n\n              Report No.\n              27601-29-Ch\n              FEBRUARY 2003\n\x0c                 UNITED STATES DEPARTMENT OF AGRICULTURE\n                                OFFICE OF INSPECTOR GENERAL\n\n                                     Washington D.C. 20250\n\n\nDATE:         February 26, 2003\n\nREPLY TO\nATTN OF:     27601-0029-CH\n\nSUBJECT:      Controls Over The Access, Disclosure, and Use of Social Security Numbers\n\nTO:          Roberto Salazar\n             Administrator\n             Food and Nutrition Service\n\nATTN:        Lael Lubing\n             Director, Grants Management Division\n\n\nThis report presents the results of our audit of the Controls Over the Access, Disclosure,\nand Use of Social Security Numbers. The Food and Nutrition Service\xe2\x80\x99s responses to the\nofficial draft, dated January 16 and 21, 2003, are included in their entirety as exhibits B\nand C, with excerpts and the Office of Inspector General\xe2\x80\x99s position incorporated into the\nFindings and Recommendations section of the report.\n\nBased on the information contained in the responses, we have reached management\ndecisions on Recommendations Nos. 2, 4 and 5 in the report. Please follow your\nagency\xe2\x80\x99s internal procedures in forwarding documentation for final action to the Office of\nthe Chief Financial Officer.      We have not reached management decision on\nRecommendations Nos. 1 and 3. Management decisions can be reached when the\nFood and Nutrition Service provides the additional information outlined in the OIG\nPosition sections of the report.\n\nIn accordance with Departmental Regulation 1720-1, please furnish a reply within\n60 days describing the corrective action taken or planned and the timeframes for\nimplementation of those recommendations for which management decision has not yet\nbeen reached. Please note that the regulation requires that management decisions be\nreached on all findings and recommendations within a maximum of 6 months from the\ndate of report issuance, and final action to be taken within 1 year of each management\ndecision.\n\n\n/s/\n\nRICHARD D. LONG\nAssistant Inspector General\n for Audit\n\x0c                        EXECUTIVE SUMMARY\n          CONTROLS OVER THE ACCESS, DISCLOSURE AND USE OF\n                     SOCIAL SECURITY NUMBERS\n\n                         AUDIT REPORT NO. 27601-29-Ch\n\n\n                                      This report presents the results of our audit of\n      RESULTS IN BRIEF                the Controls Over Access, Disclosure, and\n                                      Use of Social Security Numbers (SSN\xe2\x80\x99s). We\n                                      performed this audit in conjunction with the\n          President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE). The Social Security\n          Administration\xe2\x80\x99s (SSA) Office of Inspector General was the lead agency\n          coordinating the audit. The audit was based on a Government Accounting\n          Office study to determine how and to what extent Federal, State, and local\n          Government agencies use individuals\xe2\x80\x99 SSN\xe2\x80\x99s and how they safeguard\n          records and documents containing SSN\xe2\x80\x99s. The objective of our audit was\n          to assess the controls over the disclosure and use of SSN\xe2\x80\x99s by third\n          parties in the Food Stamp Program (FSP), one of the largest USDA\n          programs using SSN\xe2\x80\x99s.\n\n            Our audit disclosed that Food and Nutrition Services\xe2\x80\x99 (FNS) controls over\n            the disclosure of SSN\xe2\x80\x99s to third parties, contractors\xe2\x80\x99 access and use of\n            SSN\xe2\x80\x99s, requirements placed on entities receiving SSN\xe2\x80\x99s, and direct access\n            to SSN\xe2\x80\x99s by other organizations were in place and functioning. However,\n            we found several instances at the State and county level where controls\n            over computer access and physical access of SSN\xe2\x80\x99s needed\n            strengthening. Specifically, the States needed to limit access to SSN\xe2\x80\x99s\n            and prevent the possibility of identity theft from unauthorized disclosure of\n            FSP SSN\xe2\x80\x99s located in computer files or on written documents. We noted\n            that two of four county offices visited had control weaknesses that allowed\n            access to SSN\xe2\x80\x99s through the computer system. We also noted that case\n            files in two county offices were kept in unlocked drawers, file cabinets, and\n            boxes.\n\n                                      We recommended that guidance be issued to\n  KEY RECOMMENDATIONS                 the Food and Nutrition Service Regional Office\n                                      and State offices concerning access to\n                                      confidential information in FSP databases, and\n         that confidential information be secured according to internal procedures.\n\n\n\n\nUSDA/OIG-A/27601-29-Ch                                                            Page i\n\x0c                                       FNS\xe2\x80\x99 responses to the official draft report,\n    AGENCY RESPONSE                    dated January 16 and 21, 2003, generally\n                                       agreed with the audit findings and\n                                       recommendations.\n\n                                       Based on the FNS\xe2\x80\x99 responses, management\n        OIG POSITION                   decisions     can       be     reached        on\n                                       Recommendations        Nos.     2,    4,    and\n                                       5. Management decisions can be reached on\n          the Recommendations Nos. 1 and 3 once FNS has provided us with the\n          information specified in the OIG Position sections of the report. We have\n          incorporated applicable portions of FNS\xe2\x80\x99 responses, along with our\n          position, in the Findings and Recommendations section of the report.\n          FNS\xe2\x80\x99 responses to the official draft report are included in their entirety as\n          exhibits B and C of the audit report.\n\n\n\n\nUSDA/OIG-A/27601-29-Ch                                                         Page ii\n\x0c                                      TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY ................................................................................................i\n   RESULTS IN BRIEF....................................................................................................i\n   KEY RECOMMENDATIONS .......................................................................................i\n   AGENCY RESPONSE ...............................................................................................ii\n   OIG POSITION...........................................................................................................ii\nTABLE OF CONTENTS................................................................................................iii\nINTRODUCTION............................................................................................................1\n   BACKGROUND .........................................................................................................1\n   OBJECTIVES .............................................................................................................2\n   SCOPE .......................................................................................................................2\n   METHODOLOGY .......................................................................................................3\nFINDINGS AND RECOMMENDATIONS .......................................................................5\n   CHAPTER 1 ...............................................................................................................5\n   SAFEGUARDING OF SOCIAL SECURITY NUMBERS ............................................5\n   FINDING NO. 1 ..........................................................................................................5\n   RECOMMENDATION NO. 1 ......................................................................................8\n   RECOMMENDATION NO. 2 ......................................................................................9\n   FINDING NO. 2 .........................................................................................................9\n   RECOMMENDATION NO. 3 ....................................................................................11\n   RECOMMENDATION NO. 4 ....................................................................................11\n   RECOMMENDATION NO. 5 ....................................................................................12\n   EXHIBIT A \xe2\x80\x93 SITES VISITED...................................................................................13\n   EXHIBIT B \xe2\x80\x93 FNS\xe2\x80\x99 NATIONAL OFFICE RESPONSE TO DRAFT REPORT...........14\n   EXHIBIT C \xe2\x80\x93 FNS\xe2\x80\x99 REGIONAL OFFICE RESPONSE TO DRAFT REPORT ..........15\n\n\n\n\nUSDA/OIG-A/27601-29-Ch                                                                                                 Page iii\n\x0c                                           INTRODUCTION\n\n                                            The Food Stamp Program (FSP) is\n             BACKGROUND                     administered by the Food and Nutrition\n                                            Service (FNS) through 7 Regional Offices, and\n                                            in cooperation with 53 State welfare agencies.\n                Through the State agencies, the FSP provides benefits to low-income\n               people to buy eligible food in authorized retail food stores. In Fiscal Year\n               (FY) 2001, the FSP provided benefits to 7.5 million households and\n               17.3 million individuals each day.        Individuals must complete an\n               application and meet certain income and resource criteria to receive\n               benefits. It is through the application process that States obtain, verify,\n               and maintain personal information for each applicant, including the social\n               security numbers (SSN) for each household member participating in the\n               FSP.\n\n                  Due to concerns over the widespread collection and sharing of personal\n                  information, and occurrences of identity theft, Congress asked the\n                  Government Accounting Office (GAO) to study how and to what extent\n                  Federal, State, and local government agencies use individuals\xe2\x80\x99 SSN\xe2\x80\x99s and\n                  how they safeguard records and documents containing SSN\xe2\x80\x99s. The\n                  expanded use of the SSN as a national identifier provides a tempting\n                  motive for many unscrupulous individuals to acquire a SSN and use it for\n                  illegal purposes. While no one can fully prevent SSN misuse, Federal\n                  agencies have some responsibility to limit the risk of unauthorized\n                  disclosure of SSN information. In response, the Chairman of the House\n                  Ways and Means Subcommittee on Social Security asked the Social\n                  Security Administration and the President\xe2\x80\x99s Council on Integrity and\n                  Efficiency (PCIE) to look across Government at the way Federal agencies\n                  disseminate and control the use of SSN information to third parties.\n\n                  As a result of this request, the U.S. Department of Agriculture\xe2\x80\x99s (USDA)\n                  Office of Inspector General (OIG) initiated an audit of controls over the\n                  access, disclosure, and use of SSN\xe2\x80\x99s in the FSP, one of the largest USDA\n                  programs to use SSN\xe2\x80\x99s. The Privacy Act1 and other statutes regulate\n                  FNS\xe2\x80\x99 use of SSN\xe2\x80\x99s, while State agencies are responsible for administering\n                  the FSP in accordance with the Food Stamp Act2, Federal regulations3,\n                  and their FNS approved Plans of Operation4.\n\n\n1\n  The Privacy Act of 1974, 5 U.S.C. \xc2\xa7552A as amended\n2\n  The Food Stamp Act of 1977, 7 U.S.C. 2020\n3\n  7 CFR Parts 271 through 283\n4\n  The Food Stamp Act of 1977, 7 U.S.C. 2020(d)\n\nUSDA/OIG-A/27601-29-Ch                                                             Page 1\n\x0c                     Specifically, with regard to collecting SSN information, Section 7 of the\n                     Privacy Act requires any agency which requests an individual to disclose\n                     his/her SSN to inform them whether the disclosure is mandatory or\n                     voluntary, by what statutory authority or other authority the request is\n                     made, and how the agency will use the number. With regard to\n                     disclosures of SSN\xe2\x80\x99s contained in Federal record systems (i.e., records\n                     maintained on individuals), the Privacy Act controls the use and disclosure\n                     of such personal information, but without specifically addressing SSN\xe2\x80\x99s.\n                     For each record system maintained by an agency, a Privacy Act notice\n                     must be published. The notice must contain the routine uses and\n                     disclosures of that system\xe2\x80\x99s information, which will include the SSN if\n                     relevant.\n\n                     The Food Stamp Act of 1977, which governs the States, mirrors the\n                     Privacy Act. The Food Stamp Act requires disclosure of SSN\xe2\x80\x99s of all\n                     household members as a condition of eligibility for participation in the FSP,\n                     and the State agencies are authorized to use those SSN\xe2\x80\x99s in the\n                     administration of the FSP. Regulations require that each application form\n                     notify households how their information and SSN will be used5. The Food\n                     Stamp Act requires that States, through their Plans of Operation, provide\n                     safeguards that limit the use or disclosure of information obtained from the\n                     applicant households and enforcement of the provisions of this act6.\n\n                     Additionally, the Food and Agricultural Resources Act of 1990 (P.L.101-\n                     624), Section 1735, requires a SSN for the officers of food and retail\n                     stores that redeem food stamps, and provides that the SSN\xe2\x80\x99s maintained\n                     will be confidential and may not be disclosed.\n\n                                              Our objective was to assess the controls over\n                  OBJECTIVES                  the access, disclosure, and use of SSN\n                                              information by third parties. Specifically, we\n                                              determined whether the FSP as a whole:\n                   (1) Makes legal and informed disclosures of SSN\xe2\x80\x99s to third parties; (2) has\n                   appropriate controls over contractors\xe2\x80\x99 access and use of SSN\xe2\x80\x99s; (3) has\n                   appropriate controls over other entities\xe2\x80\x99 access and use of SSN\xe2\x80\x99s; and\n                   (4) has adequate controls over access to individuals\xe2\x80\x99 SSN\xe2\x80\x99s maintained in\n                   its databases.\n\n                                               We performed audit work at the FNS National\n                      SCOPE                    Office in Alexandria, Virginia, and the FNS\n                                               Midwest Regional Office in Chicago, Illinois.\n                                               We judgmentally selected State offices for\n                     testing including one where the FSP is State administered (Illinois) and\n5\n    7 CFR, Subtitle B, Chapter II, Part 273.2(b)(4)\n6\n    The Food Stamp Act of 1977, 7 U.S.C. 2020(e)(8)\n\nUSDA/OIG-A/27601-29-Ch                                                                    Page 2\n\x0c           one where the FSP is county administered (Wisconsin). Within each\n           State, we judgmentally selected 2 county or local offices, hereinafter\n           referred to as county offices, based on location and size. (See exhibit A.)\n\n           We followed the audit guide set forth by the Social Security Administration\n           (SSA) Office of Inspector General. This guide focused on the 4 sections\n           in the GAO program questionnaire completed by the FSP offices. The\n           sections included questions numbered 39 through 63 and covered the\n           following four areas: (1) Disclosures of individuals\xe2\x80\x99 SSN\xe2\x80\x99s to third parties;\n           (2) controls over contractors\xe2\x80\x99 access and use of SSN\xe2\x80\x99s; (3) requirements\n           placed on entities receiving SSN\xe2\x80\x99s; and (4) controls over direct access to\n           individuals\xe2\x80\x99 SSN\xe2\x80\x99s by other organizations.\n\n           Our audit primarily covered calendar year 2001. However, calendar year\n           2002 data was reviewed where deemed necessary to accomplish the\n           audit objectives. Our audit work was conducted from March 5 through\n           May 20, 2002.\n\n           We conducted the audit in accordance with Government Auditing\n           Standards established by the Comptroller General of the United States for\n           performance audits.\n\n                                       To accomplish our objectives we:\n       METHODOLOGY\n\n           \xe2\x80\xa2   Reviewed Federal laws and regulations related to the\n               collection, use and privacy of SSN\xe2\x80\x99s, including the Privacy Act and\n               Food Stamp Act.\n\n           \xe2\x80\xa2   Reviewed the State Plans of Operation, for the selected States.\n\n           \xe2\x80\xa2   Reviewed applicable State policies, procedures, and rules and\n               regulations governing the proper safeguarding of confidential\n               information.\n\n           \xe2\x80\xa2   Reviewed controls over the disclosure of, and access to, SSN\n               information.\n\n           \xe2\x80\xa2   Reviewed contracts or memoranda of understanding with third party\n               contractors and subcontractors.\n\n           \xe2\x80\xa2   Reviewed the controls over the destruction of sensitive information.\n\n           \xe2\x80\xa2   Observed the physical security over sensitive information at the State\n               and county offices.\n\nUSDA/OIG-A/27601-29-Ch                                                          Page 3\n\x0c           \xe2\x80\xa2   Interviewed agency officials    responsible   for   controlling   SSN\n                disclosure and access.\n\n           \xe2\x80\xa2   Verified and updated key pieces of information provided on the GAO\n               questionnaires by FSP offices.\n\n           \xe2\x80\xa2   Obtained documentation supporting FSP offices\xe2\x80\x99 answers to the GAO\n               questionnaire, questions 39 through 63.\n\n\n\n\nUSDA/OIG-A/27601-29-Ch                                                       Page 4\n\x0c                       FINDINGS AND RECOMMENDATIONS\n\n\n     CHAPTER 1                SAFEGUARDING OF SOCIAL SECURITY NUMBERS\n\n                       We found several instances at the county level where confidential\n                       information, such as Social Security numbers (SSN\xe2\x80\x99s), of Food Stamp\n                       Program (FSP) applicants and participants were not sufficiently\n                       safeguarded to protect against unauthorized use or disclosure. We noted\n                       weaknesses in the controls over both computer access and physical\n                       access, which are intended to safeguard the confidentiality and misuse of\n                       FSP participants\xe2\x80\x99 SSN\xe2\x80\x99s. As a result, the SSN\xe2\x80\x99s are susceptible to theft\n                       and unauthorized use.\n\n                                                  We found that computer users in two of four\n                  FINDING NO. 1                   county offices reviewed had inappropriate\n                                                  access to SSN\xe2\x80\x99s due to weaknesses in the\n    COMPUTER ACCESS TO SOCIAL                     controls over the granting and monitoring of\n    SECURITY NUMBERS WAS NOT                      computer access. As a result, SSN\xe2\x80\x99s were not\n     ADEQUATELY SAFEGUARDED                       adequately safeguarded and kept confidential,\n                                                  which created the potential for the use of\n                                                  SSN\xe2\x80\x99s in identity theft.\n\n                       The Food Stamp Act requires State safeguards limiting the use and\n                       disclosure of FSP information. Additional regulations require States to\n                       have computer model plans,7 which maintain appropriate levels of\n                       confidentiality of program information.\n\n                       We obtained State security office lists of computer users in the two State\n                       and four county offices tested.       Included on the lists were State and\n                       county office employees, outside contractors or subcontractors, and other\n                       third parties, such as outside researchers.        We included users with\n                       access to the outside electronic benefits transfer system and to State\n                       systems. We interviewed employees and contractors, spoke with county\n                       security officials who approved access requests, State security officials\n                       who implemented requests, and obtained information about specific job\n                       duties to determine whether access was properly authorized and\n                       appropriately limited to users\xe2\x80\x99 duties on a need to know basis only.\n\n                       Based on our review, we found examples of access granted to those who\n                       were not authorized under Wisconsin State policy to use State or Social\n7\n    7 CFR 272.10(b)(3)(iii)\n\nUSDA/OIG-A/27601-29-Ch                                                                   Page 5\n\x0c           Security Administration (SSA) databases containing individuals\xe2\x80\x99 SSN\xe2\x80\x99s,\n           and found examples where access levels exceeded those necessary to\n           perform job duties. For instance, in one county we determined that the\n           security officer did not adequately review the computer access request\n           forms, which were then forwarded to the State security office for\n           activation. In addition, the State relied solely on the computer access\n           form, which did not provide sufficient information or was not correctly\n           completed for the State to determine if the access requested was\n           appropriate. The State informed us that they generally rely on the county\n           security officers\xe2\x80\x99 signature as proof that a request for access is valid;\n           therefore, unless a request is grossly inappropriate it will be activated. We\n           also noted that the State security office does not periodically review or\n           monitor current employees\xe2\x80\x99, contractors\xe2\x80\x99 or subcontractors\xe2\x80\x99 computer\n           access on a regular basis to ensure that access and security levels were\n           accurate and updated properly and promptly. As a result of the various\n           exceptions of inappropriate access, there is the potential for theft and\n           unauthorized use of SSN\xe2\x80\x99s.\n\n           At the same county office as above, we judgmentally selected 24 of the\n           county office\xe2\x80\x99s 143 users to test computer access to FSP data in the State\n           Client Assistance for Reemployment and Economic Support (CARES)\n           system, and the county database within that system. We discovered that\n           a contracted case manager who was not responsible for determining\n           eligibility, had access to the SSA\xe2\x80\x99s database through CARES, which was\n           prohibited by the State\xe2\x80\x99s data sharing agreement with the county. The\n           county security officer confirmed that all 7 case managers, including the\n           one in our sample, had access to the SSA\xe2\x80\x99s database through CARES.\n           He stated that he was unaware that access to the SSA\xe2\x80\x99s database for\n           outside contractors was prohibited by the data sharing agreement with the\n           State.\n\n           The county security officer was responsible for monitoring compliance of\n           the agreement between the State and the county. In addition, he was the\n           individual designated by the county to request access for individuals on\n           staff and contractors from the county office. Once the access request\n           forms were completed and signed, they were forwarded to the State\n           security officers for review and activation. The State security officers were\n           aware of the requirements of the data sharing agreement, however they\n           were unaware that the case managers were contractors until we brought it\n           to their attention during the audit. We determined that the computer\n           access form did not identify the contractor to the State security officers, so\n           they could limit their access. Six of the seven case managers wrote on\n           the form that they worked for the Kenosha County Department of Human\n           Services (DHS). However, the State still granted access to the one case\n           manager, who correctly identified himself as a contractor. The State had\n           no explanation for this and stated it was an oversight. If the State is\n\nUSDA/OIG-A/27601-29-Ch                                                           Page 6\n\x0c           relying on the county security officer signatures and not evaluating each\n           request form based on the information presented, they have no way of\n           determining if request for access is valid.\n\n           We also interviewed the selected case manager that had Statewide\n           database inquiry. She stated her duties only required countywide access\n           in the State\xe2\x80\x99s database. The State security officer stated that all seven of\n           the case managers, including the one tested in our sample, had Statewide\n           inquiry access. The county security officer had previously stated that all\n           case managers performed the same duties; therefore all seven would\n           have been able to perform their job with the inquiry access limited to the\n           county. The State security officer stated that Statewide access is granted\n           unless the request form specifies countywide access only. However, the\n           access request form does not specifically mention whether access should\n           be limited to the county so county offices generally do not limit access\n           when preparing a request.\n\n           We also noted other instances where the users\xe2\x80\x99 level of computer access\n           exceeded that required to accomplish their duties. Although this additional\n           access did not give the users access to any more SSN\xe2\x80\x99s than they already\n           had, we believe it is necessary for the State to ensure that the county\n           offices have appropriate guidance and controls in place to ensure that\n           access is commensurate with job requirements.\n\n           A former county employee, now a private investigator, had access to FSP\n           SSN\xe2\x80\x99s in the State\xe2\x80\x99s CARES system. The private investigator was self-\n           employed and contracted to perform front-end verification of eligibility and\n           fraud investigations as required.          When we asked about the\n           appropriateness of the private investigator\xe2\x80\x99s access to the database, the\n           State security officer immediately revoked the investigator\xe2\x80\x99s access and\n           stated that this can occur when the State security officer cannot\n           determine, based on the computer access request form if the user should\n           have access or not. In some cases, the form may indicate that the user is\n           a county employee when in fact they work for an outside contractor or\n           subcontractor, because the request form does not adequately identify the\n           user as an outside contractor. A user may also mistakenly report that they\n           are working for the county when they are contracted to perform services\n           for the county. In this case, the computer access form for the private\n           investigator indicated she was working for DHS. The county security\n           employee believed that the investigator required access to the FSP files\n           because she performed duties in the administration and enforcement of\n           the FSP. However as an outside contractor, the State security officer\n           stated that no outside contract private investigator should be given access\n           to CARES. The security officer also said that information required by the\n           investigator should be obtained on a case-by-case basis from the\n           employee who assigns the case to the investigator.\n\nUSDA/OIG-A/27601-29-Ch                                                         Page 7\n\x0c           In addition to the private investigator\xe2\x80\x99s access, we also found that a county\n           Government user had access to FSP SSNs on the State\xe2\x80\x99s data\n           warehouse to produce statistical reports for the county Government. The\n           State data sharing coordinator stated that they do not require a data\n           sharing agreement with the county because it is a Government agency.\n           The State could not explain why access to individual SSN\xe2\x80\x99s was granted to\n           the user, because the State security supervisor who granted this access\n           has retired. The State security officer stated that access should not have\n           been granted, since the county does not require the SSN\xe2\x80\x99s to produce the\n           statistical reports. Since our audit, the State has set up a separate\n           computer user access for the county Government to receive one data file\n           by file transfer that contains no personal identifiers, including SSN\xe2\x80\x99s.\n\n           Our review disclosed several instances where weaknesses in procedures\n           and documentation of the computer access policies, created inappropriate\n           computer access to SSN\xe2\x80\x99s and created the opportunity for identity theft.\n\n\n  RECOMMENDATION NO. 1\n\n           Issue guidance to the Food and Nutrition Service Regional Offices\n           (FNSRO) and State offices reminding them to ensure that access to\n           confidential information in FSP databases is appropriate to the users\n           duties and is sufficiently limited on a \xe2\x80\x9cneed to know basis.\xe2\x80\x9d\n\n           Agency Response\n\n           FNS officials generally agreed with the finding. They will provide more\n           details of planned actions at a later date.\n\n           OIG Position\n\n           To reach a management decision, FNS officials need to provide us with\n           the guidance that will be provided to its regional offices, and the State\n           offices, and the timeframe when this action will be completed.\n\n\n\n\nUSDA/OIG-A/27601-29-Ch                                                          Page 8\n\x0c      RECOMMENDATION NO. 2\n\n                      Follow-up with the State of Wisconsin to ensure that computer access\n                      procedures, including computer access request forms, are appropriate to\n                      the users assigned duties.\n\n                      Agency Response\n\n                      FNS Regional officials required the State to strengthen computer access\n                      procedures and documents. The State also is implementing a training\n                      program in this area.\n\n                      OIG Position\n\n                      We have accepted FNS\xe2\x80\x99 management decision for this recommendation.\n                      For Final Action, FNS needs to provide the Office of the Chief Financial\n                      Officer (OCFO) with documentation that it required the State to strengthen\n                      computer access procedures and documents.\n\n                                          In one Wisconsin county office, we found that\n           FINDING NO. 2                  desk drawers, file cabinets, and boxes of\n                                          papers to be shredded were not properly\n                                          secured and locked. The county security\n     PHYSICAL ACCESS TO SOCIAL\n                                          officer stated they did not have a policy to lock\n     SECURITY NUMBERS WAS NOT\n                                          their desk drawers or file cabinets and had not\n            SAFEGUARDED\n                                          considered the possible access to data by\n                                          other employees and custodial staff a breach\n              of physical security. In an Illinois county office, a file room without locks\n              contained FSP files in 35 boxes and 300 file cabinets. As a result, SSN\xe2\x80\x99s\n              and other sensitive information were not adequately protected from\n              unauthorized disclosure and possible use in identity theft.\n\n                      The Food Stamp Act and Food Stamp Regulations8 require safeguards\n                      which limit the use or disclosure of information obtained from applicant\n                      households to persons directly connected with the administration or\n                      enforcement of the FSP laws and regulations. In addition, regulations\n                      state that recipients of information released under 7 CFR 272.1(c)(1) must\n                      adequately protect the information against unauthorized disclosure to\n                      persons or for purposes not specified9. Prudent business practice would\n                      also suggest the use of locked desk drawers, file cabinets, or rooms as\n                      the proper safeguard for participant information.\n8\n    7 CFR 272.1(c)(1)(i)\n9\n    7 CFR 272.1(c)(2)\n\nUSDA/OIG-A/27601-29-Ch                                                                  Page 9\n\x0c           In Wisconsin, we observed specific examples of sensitive records being\n           left out unlocked on desktops or open shelves after normal working hours.\n           For example, 12 case files were left on a desk or credenza in each of two\n           child support workstations and about 30 case files were left on open\n           shelves in another child support workstation. Child support workers verify\n           the paternity of every minor included in a food stamp assistance group,\n           and the security officer indicated some of the files would contain food\n           stamp SSN\xe2\x80\x99s. We specifically noted that a data processing specialist,\n           whom we had interviewed earlier in the day and is responsible for entering\n           participant data into the county office\xe2\x80\x99s master database, left documents\n           containing SSN\xe2\x80\x99s and other personal identifiers out on her desk in plain\n           sight after she had left for the day.\n\n           In the Economic Support work area, a caseworker stated that she always\n           kept her food stamp monthly caseload report, which contains SSN\xe2\x80\x99s for all\n           her cases, on an open shelf. We confirmed this during our observations\n           after hours.\n\n           The county security officer stated they did not have a policy to lock their\n           desk drawers or file cabinets because the majority of the workers were\n           located beyond a locked door and the public was always escorted within\n           those areas. He did not consider the presence of after-hours custodians\n           and other employees or contractors, who should not have access to\n           SSN's, to be a breach of controlled physical access.\n\n           The Wisconsin security manual states: \xe2\x80\x9cIt is the State\xe2\x80\x99s responsibility to\n           ensure that reasonable steps are taken to safeguard sensitive and\n           confidential client information. Physical access means the ability to obtain\n           paper reports located in an office.\xe2\x80\x9d The manual adds: Any computer\n           printouts of information, case record information, etc., must not be left\n           where others can access it. This information must be secured in locked\n           files.\xe2\x80\x9d\n\n           Continuing in the Wisconsin security manual: \xe2\x80\x9cIf paper or printouts are\n           used, items with client specific data should be secured when the user\n           leaves their work area. By secured, a locked file cabinet may be used for\n           very sensitive information (such as Food Stamp Program eligibility data) or\n           a locked desk drawer might be suitable depending on how accessible the\n           office is to non-staff. Confidential or sensitive information must not be left\n           in a place for individuals who should not have access to it.\xe2\x80\x9d And \xe2\x80\x9cIf using\n           paper or printouts, items with client specific data should be secured when\n           you leave the area. Any printout with confidential information (including\n           screen prints) should be filed; it must be locked up. When they are\n           discarded, they must be shredded.\xe2\x80\x9d\n\n\n\nUSDA/OIG-A/27601-29-Ch                                                          Page 10\n\x0c                       The State/County Data Sharing Agreement states: \xe2\x80\x9cProtection Against\n                       Unauthorized Access or Disclosure \xe2\x80\x93 the County agrees to comply with\n                       the following measures to protect the confidentiality of any information\n                       provided under this agreement and to protect such information against\n                       unauthorized access or disclosure. The information shall be stored in a\n                       place physically secure from access by unauthorized persons in\n                       conformance with the State\xe2\x80\x99s security system rules and State internal\n                       security rules.\xe2\x80\x9d\n\n                       We also noted an Illinois county office where case files were stored in\n                       300 unlocked filing cabinets and 35 boxes within a storage room without a\n                       lock. The local office administrator agreed that security over files was not\n                       adequate. At a minimum, the storage room should be locked. Illinois\n                       policy10 is broad and calls for effective control over the maintenance of\n                       records. As a result of the lack of physical safeguarding of access to\n                       SSN\xe2\x80\x99s, there is the potential of theft of SSN\xe2\x80\x99s, unauthorized disclosure,\n                       and identity theft.\n\n\n      RECOMMENDATION NO. 3\n\n                       Issue guidance to the FNSROs, and State offices reminding them to\n                       ensure that data such as SSNs is properly secured, according to internal\n                       procedures.\n\n                       Agency Response\n\n                       FNS officials generally agreed with the finding. They will provide more\n                       details of planned actions at a later date.\n\n                       OIG Position\n\n                       To reach a management decision, FNS officials need to provide us with\n                       the guidance that will be provided to its regional offices, and the State\n                       offices, and the timeframe when this action will be completed.\n\n\n      RECOMMENDATION NO. 4\n\n                       Follow-up with the State of Wisconsin to ensure county offices\xe2\x80\x99\n                       compliance with State security requirements over FSP SSN\xe2\x80\x99s, according\n                       to internal procedures.\n\n10\n     Illinois Administrative Directive No. 01.05.04.030 effective 10/01/01\n\nUSDA/OIG-A/27601-29-Ch                                                                    Page 11\n\x0c           Agency Response\n\n           The State is publishing a joint operation memorandum for all authorized\n           users of public assistance program data on CARES. The memorandum is\n           a policy statement that reiterates Wisconsin\xe2\x80\x99s requirements for\n           safeguarding access to sensitive records.\n\n           OIG Position\n\n           We have accepted FNS\xe2\x80\x99 management decision for this recommendation.\n           For Final Action, provide documentation to OCFO that the State has\n           issued the memorandum.\n\n\n\n  RECOMMENDATION NO. 5\n\n           Follow-up with the State of Illinois to ensure county offices\xe2\x80\x99 compliance\n           with State security requirements over FSP SSN\xe2\x80\x99s, according to internal\n           procedures.\n\n           Agency Response\n\n           The Department of Human Services has issued two new Administrative\n           Directives on the subject of employee conduct, both of which cover\n           security issues. The Office reviewed during the audit has since moved\n           locations and now has a locked file room.\n\n           OIG Position\n\n           We have accepted FNS\xe2\x80\x99 management decision for this recommendation.\n           For Final Action, provide documentation to OCFO that the State has\n           issued the memorandums.\n\n\n\n\nUSDA/OIG-A/27601-29-Ch                                                     Page 12\n\x0cEXHIBIT A \xe2\x80\x93 SITES VISITED\n\n\n                        Office                                Location\nFood and Nutrition Service Headquarters   Alexandria, Virginia\nFNS Midwest Regional Office               Chicago, Illinois\nIllinois State Office                     Springfield, Illinois\nSangamon County Local Office              Springfield, Illinois\nLower North (Cook County) Local Office    Chicago, Illinois\nWisconsin State Office                    Madison, Wisconsin\nKenosha County Department of Human\n                                          Kenosha, Wisconsin\nServices\nRichland County Health & Human Services   Richland Center, Wisconsin\n\n\n\n\nUSDA/OIG-A/27601-29-Ch                                                   Page 13\n\x0cEXHIBIT B \xe2\x80\x93 FNS\xe2\x80\x99 NATIONAL OFFICE RESPONSE TO DRAFT REPORT\n\n\n\n\nUSDA/OIG-A/27601-29-Ch                             Page 14\n\x0cEXHIBIT C \xe2\x80\x93 FNS\xe2\x80\x99 REGIONAL OFFICE RESPONSE TO DRAFT REPORT\n\n\n\n\nUSDA/OIG-A/27601-29-Ch                             Page 15\n\x0cUSDA/OIG-A/27601-29-Ch   Page 16\n\x0cInformational copies of this report have been distributed to:\n\nOffice of the Chief Financial Officer\n       Director, Planning and Accountability Division (1)\nAdministrator, FNS\n       Through Agency Liaison Officer, FNS (8)\nGeneral Accounting Office (1)\nOffice of Management and Budget (1)\n\x0c"